Site blocked in China? Netlify and the Chinese Great Firewall (GFW)

Hello, I just relaunched my site on Netlify and I noticed that I can’t connect to my site without using a VPN while in China. I checked using the Great Firewall Test and they confirmed my site doesn’t work in China. Any way around this?

3 Likes

Having the same issue:

Hi folks! As I’m sure you know, we don’t have any control over what is blocked by the Great Firewall. However, most of the testing tools out there don’t do a good job of testing “is your Netlify website unloadable in China”, but instead do something like this:

  1. do an outside-of-China DNS lookup of your site. All DNS lookups come from one location, so one answer is received by the tool from “outside the firewall”.
  2. If you have dns configured optimally (see this article for more details on the topic), a DNS lookup for your site will return different IP addresses from different locations, based on their geographic nearness to our various data centers. Immediate problem: a lookup in the US or South America or Australia would basically NEVER match a result from Asia. So, there is that initial confounding factor to this methodology.
  3. While our list of data centers can and does change frequently and without announcement, this post is a relatively up to date list that we made recently.

Further complicating factor: we have several CDN nodes in most locations, and so even from e.g. Singapore, you could get one of several IP addresses for even lookups performed at the same time, as our DNS intentionally returns first one and then a different IP for the same lookup to help distribute load.

There may be checking tools that do something more sophisticated, but last time I spent (several hours) looking into this for a customer, I could not find one that wasn’t a DNS-based test, and the conclusion we came to was that their site was generally available in China which was only determinable via testing from within China.

If you have some specific reports from within China of site unreachable, it would be great to know two things to help us debug:

  1. what nslookup your.customdoma.in returns from a computer that experiences the problem AT THE TIME IT EXPERIENCES THE PROBLEM, so we can see if that IP is one of our nodes or not.
  2. a HAR file of the loading experience, in case it is “site loads poorly” rather than “site doesn’t load at all”. This is the place to instruct folks about how to grab a HAR file: HAR Analyzer

Once we’ve seen that data, we would be happy to investigate and speak to what is actually happening (accepting of course that if China blocks your website, we can’t really stop them from doing so), but at a high level, most of the tools I could find were not a good test based on how our CDN handles routing.

3 Likes

I’m within China I just used the tool to double-check, but thanks for the clarification about your CDN nodes. Anyway, interesting thing it would seem they block sites by default until crawled by their search engine, as soon as I went through the process the site was working normally.

that’s interesting :thinking: thanks for sharing.

Hope that Netlify DNS could update a new feature which allows us to enable different routes for visitors in China. Just like DNSPod, visitors from different regions can visit the same domain from different servers, not just different CDN nodes.

even netlify.com is blocked

@flinhong: not sure what that service does? Certainly we have the ability to route to any CDN node from any geolocation ; that’s how our CDN works. Could you elaborate a bit more on what that solution might look like, and particularly my next point? I think it doesn’t matter what CDN node we route to if the firewall wants to block our content, but obviously, this is largely a guess since I don’t know everything about how it is implemented.

@Njegos: Can you give us more details about what is blocked from where (I assume you are testing from within China?), using the guidelines I mentioned above?

If you have some specific reports from within China of site unreachable, it would be great to know two things to help us debug:

  1. what nslookup your.customdoma.in returns from a computer that experiences the problem AT THE TIME IT EXPERIENCES THE PROBLEM, so we can see if that IP is one of our nodes or not.
  2. a HAR file of the loading experience, in case it is “site loads poorly” rather than “site doesn’t load at all”. This is the place to instruct folks about how to grab a HAR file: HAR Analyzer

That will hopefully help us quantify a bit what the failure is :slight_smile:

Yeah tested within China (Shenzhen and Beijing).

Here’s the nslookup:
Non-authoritative answer:
njegos.dev nameserver = dns4.p07.nsone.net.
njegos.dev nameserver = dns3.p07.nsone.net.
njegos.dev nameserver = dns2.p07.nsone.net.
njegos.dev nameserver = dns1.p07.nsone.net.
njegos.dev nameserver = dns2.p07.nsone.net.
njegos.dev nameserver = dns1.p07.nsone.net.
njegos.dev nameserver = dns4.p07.nsone.net.
njegos.dev nameserver = dns3.p07.nsone.net.

`Authoritative answers can be found from:`

With VPN on:

Non-authoritative answer:
njegos.dev
        origin = dns1.p07.nsone.net
        mail addr = njegos.gmx.us
        serial = 1571711553
        refresh = 43200
        retry = 7200
        expire = 1209600
        minimum = 3600
njegos.dev      mail exchanger = 10 mx.zoho.com.
njegos.dev      mail exchanger = 50 mx3.zoho.com.
njegos.dev      mail exchanger = 20 mx2.zoho.com.
njegos.dev      nameserver = dns4.p07.nsone.net.
njegos.dev      nameserver = dns3.p07.nsone.net.
njegos.dev      nameserver = dns2.p07.nsone.net.
njegos.dev      nameserver = dns1.p07.nsone.net.

Authoritative answers can be found from:
njegos.dev      nameserver = dns4.p07.nsone.net.
njegos.dev      nameserver = dns2.p07.nsone.net.
njegos.dev      nameserver = dns1.p07.nsone.net.
njegos.dev      nameserver = dns3.p07.nsone.net.

none of that seems wrong. What is the IP address that is resolved to? if none, then China is blocking the dns traffic and nothing we can do there.

From my understanding, Netlify DNS could add an additional function like this:

Then, the site owner can config the traffic line for Chinese visitors to another available server address other than Netlify CDNs.

Our DNS functionality does not work in that way and we don’t have any plans to extend it. Namely: we don’t have any “other” DNS servers to point folks to. You’d need to use external DNS hosting, that has that functionality if you’d like it.

netlify and the deployed sites are blocked by the Great Firewall. Has anyone resolved this issue?

Hi, @weihao, and welcome to our Netlify community site.

At this time, there isn’t any official solution for a nation blocking access to the IP addresses that our service is hosted on.

I am in China, I can sure both netlify.com and netlify.app are accessible in China, but not stable, it has some packets lost sometime, so sometime I get reported my site is broken, but when I test, it still live.

Here is my nslookup result:

$ nslookup netlify.com 202.96.134.33
Server:		202.96.134.33
Address:	202.96.134.33#53

Non-authoritative answer:
Name:	netlify.com
Address: 157.230.37.202
Name:	netlify.com
Address: 206.189.89.118

DNS IP 202.96.134.33 is my IPS default DNS server.

$ ping 157.230.37.202
PING 157.230.37.202 (157.230.37.202) 56(84) bytes of data.
64 bytes from 157.230.37.202: icmp_seq=4 ttl=52 time=329 ms
64 bytes from 157.230.37.202: icmp_seq=6 ttl=52 time=337 ms
64 bytes from 157.230.37.202: icmp_seq=9 ttl=52 time=333 ms
64 bytes from 157.230.37.202: icmp_seq=10 ttl=52 time=333 ms
64 bytes from 157.230.37.202: icmp_seq=11 ttl=52 time=336 ms
64 bytes from 157.230.37.202: icmp_seq=13 ttl=52 time=336 ms
^C
--- 157.230.37.202 ping statistics ---
14 packets transmitted, 6 received, 57.1429% packet loss, time 13226ms
rtt min/avg/max/mdev = 328.518/333.797/337.064/2.888 ms

Sorry to hear it! What happens when you ping other addresses that are publicly available, such as 8.8.8.8 (google DNS server) or 1.1.1.1 (cloudflare DNS server)? I’m looking to understand if you have slow/flakey network access to everywhere outside of China, or if it is somehow specific to one or more of our IP’s. That one you quote is a CDN node in singapore which is a pretty reasonable place for your traffic to end up, at least!

But in the end, pings don’t matter as much as web traffic since we aren’t trying to make pings work - if you (or anyone) gets slow loads and can send us the x-nf-request-id of the slow request, we can usually determine if we sent slowly, or if the network was to blame. This article talks about how to find that:

Here is the information when I encounter slow access.

$ curl -i https://dualsub.netlify.app/
HTTP/2 200 
cache-control: public, max-age=0, must-revalidate
content-length: 881
content-type: text/html; charset=UTF-8
date: Sun, 15 Nov 2020 10:38:17 GMT
etag: "233033ef3d45ad9b6d2937803d814e76-ssl"
strict-transport-security: max-age=31536000; includeSubDomains; preload
age: 86989
server: Netlify
x-nf-request-id: 00485cae-1239-4142-b844-a880b7894728-916927

<!DOCTYPE html>
[truncated]

I executed below commands right after the curl command.

$ nslookup dualsub.netlify.app
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	dualsub.netlify.app
Address: 157.230.45.115
Name:	dualsub.netlify.app
Address: 178.128.17.49
Name:	dualsub.netlify.app
Address: 2400:6180:0:d1::4df:d001
Name:	dualsub.netlify.app
Address: 2400:6180:0:d1::575:a001
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=17.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=16.9 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=17.0 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=116 time=16.9 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=116 time=17.2 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=116 time=17.1 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=116 time=16.9 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=116 time=17.1 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=116 time=16.9 ms
^C
--- 8.8.8.8 ping statistics ---
11 packets transmitted, 9 received, 18.1818% packet loss, time 10050ms
rtt min/avg/max/mdev = 16.876/16.992/17.181/0.105 ms
$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=55 time=169 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=6 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=7 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=9 ttl=55 time=169 ms
64 bytes from 1.1.1.1: icmp_seq=10 ttl=55 time=168 ms
^C
--- 1.1.1.1 ping statistics ---
10 packets transmitted, 9 received, 10% packet loss, time 9055ms
rtt min/avg/max/mdev = 167.841/168.350/168.688/0.222 ms

Oh, I made a mistake, I added netlify.com and netlify.app to my local DNS server(with dnsmasqd + OpenDNS), so previous post nslookup command is equal:

nslookup dualsub.netlify.app 208.67.222.222

Now I change to my IPS default DNS:

$ nslookup dualsub.netlify.app 202.96.128.166
Server:		202.96.128.166
Address:	202.96.128.166#53

Non-authoritative answer:
Name:	dualsub.netlify.app
Address: 134.209.106.40
Name:	dualsub.netlify.app
Address: 157.230.35.153
Name:	dualsub.netlify.app
Address: 2400:6180:0:d0::835:4001
Name:	dualsub.netlify.app
Address: 2400:6180:0:d1::575:a001
$ curl -i https://dualsub.netlify.app/
HTTP/2 200 
cache-control: public, max-age=0, must-revalidate
content-length: 881
content-type: text/html; charset=UTF-8
date: Sun, 15 Nov 2020 13:10:45 GMT
etag: "233033ef3d45ad9b6d2937803d814e76-ssl"
strict-transport-security: max-age=31536000; includeSubDomains; preload
age: 78448
server: Netlify
x-nf-request-id: b700ea10-fdd2-456f-a7ea-6706719d37a3-18411156

<!DOCTYPE html>
[truncated]

So sorry I missed your followups, @muzuiget! I know it’s been some time since you posted, but still happy to work on this if you are still struggling.

However, it seems like you could access the site since you got x-nf-request-id response headers - those come from our CDN nodes, so if you were blocked, you would not have received them. Could you help us quantify the number of reports vs the number of visitors your site has had, (which seems to me to be a bit north of 4000 unique IP’s in the past 25 days of history I have access to) so I can better understand the impact to you?

Hi Njegos,

I would try some Chinese local PaaS solutions like Aliyun https://www.aliyun.com/ or 21YunBox https://www.21yunbox.com (similar to Netlify) because these providers help you get ICP beian (a permit to host your website in China). If you don’t have a ICP, you website will likely to be blocked one day by the Chinese gov.